The Information Commissioner’s Office (ICO) has issued a reprimand to the Department for Education (DfE) following the prolonged misuse of the personal information of up to 28 million children.
An ICO investigation found that the DfE’s poor due diligence meant a database of pupils’ learning records was ultimately used by Trust Systems Software UK Ltd (trading as Trustopia), an employment screening firm, to check whether people opening online gambling accounts were 18.
The DfE has overall responsibility for the learning records service database (LRS), which provides a record of pupil’s qualifications that education providers can access. The ICO found the DfE continued to grant Trustopia access to the database when it advised the Department that it was the new trading name for Edududes Ltd, which had been a training provider.
Trustopia was in fact a screening company and used the database for age verification, a service they offered to companies including GB Group, which helped gambling companies confirm customers were over 18. This data sharing meant the information was not being used for its original purpose. This is against data protection law.
The ICO issued a reprimand to the DfE setting out clear measures they need to action to improve their data protection practices so children’s data is properly looked after.
In June 2022 John Edwards, UK Information Commissioner announced a new approach towards the public sector with the aim to reduce the impact of fines on the public. Had this new trial approach not been in place, the DfE would have been issued with a fine of over £10 million in this specific case.
John Edwards, UK Information Commissioner, said:
“No-one needs persuading that a database of pupils’ learning records being used to help gambling companies is unacceptable. Our investigation found that the processes put in place by the Department for Education were woeful. Data was being misused, and the Department was unaware there was even a problem until a national newspaper informed them.
“We all have an absolute right to expect that our central government departments treat the data they hold on us with the utmost respect and security. Even more so when it comes to the information of 28 million children.
“This was a serious breach of the law, and one that would have warranted a £10 million fine in this specific case. I have taken the decision not to issue that fine, as any money paid in fines is returned to government, and so the impact would have been minimal. But that should not detract from how serious the errors we have highlighted were, nor how urgently they needed addressing by the Department for Education.”
Details of the incident
The ICO started its investigation after receiving a breach report from the DfE about the unauthorised access to the LRS database. The DfE had only become aware of the breach from an expose in a national Sunday newspaper.
The ICO found that the LRS database has personal information of up to 28 million children and young people from the age of 14. The database records full name, data of birth, and gender, with optional fields for email address and nationality. It also records a person’s learning and training achievements. The data is kept for 66 years.
At the time of the breach, 12,600 organisations had access to the LRS database, including schools, colleges, higher education institutions, and other education providers. This is so organisations can verify a number of functions including the academic qualifications of potential students or check if they are eligible for funding.
The ICO found that Trustopia had access to the LRS database from September 2018 to January 2020 and that it had carried out searches on 22,000 learners for age verification purposes. The DfE confirmed that Trustopia has never provided any government-funded educational training.
By granting LRS database access to Trustopia, the DfE failed in its obligations to use and share children’s data fairly, lawfully and transparently. It also failed to prevent unauthorised access to children’s data, have proper oversight of the data or stop the data being used for reasons not compatible with the provision of educational services.
The ICO acknowledges that since the incident, the DfE has removed access to the LRS database from 2,600 organisations and has strengthened its registration process. The DfE also regularly checks for excessive searches on the database and proactively de-registers organisations that no longer use it.
The timing of the incident coincided with the ICO serving an assessment notice on the DfE and a compulsory audit. The DfE agreed to include enquiries in relation to the LRS with the audit. The DfE has actively engaged with the ICO since the 2020 audit and continues to take significant steps in improving its data protection practices.
The ICO conducted a simultaneous investigation into Trustopia, during which the company confirmed it no longer had access to the database and the cache of data held in temporary files had been deleted. Trustopia was dissolved before the ICO investigation concluded, therefore regulatory action was not available.
Notes to editors
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
- The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.